20 February, 2009

I got what I thought might be a phishing e-mail message. I tried to forward it to the supposed originator. It bounced. Then I tok a look at the originator’s web site. After looking for a while, this is approximately what I sent to them.

Hello from a former customer. I’d like to alert you to a few things that I noticed about your communications.

The first is that I got the e-mail below and, finding that it pointed to a non-YourCompany address, suspected it of being part of a lure to get information. However, when I visited your Web site after my message bounced, I found that strange-user-name appears to be really your fulfillment address. You might want to make your return address in your public domain, even if messages are then rerouted to your fulfillment service.

Second, my post to your “phishing” account bounced because you don’t have one. Perhaps I should have tried again with “abuse” (which is a pretty standard address for reporting trouble) or even “root“. However, the people who are likely to forward suspected phony messages probably know what phishing is.

Third, you have no “Contact us” link on your home page. That is now part of expected home page layout. Instead, there’s a welter of FAQs, submission forms, and “If this, send to that” instructions scattered over several pages. And phishing wasn’t covered. So you need that link to a simple contact mechanism, with a visible e-mail address, on the home page. It can open a page that says, ‘This will get to us. For quicker response about different different subjects, send to these. [table of addresses]’ You can slip that page in front of your existing address pages with few changes. Then you can sort incoming general e-mail by keyword or get help-desk staff to route inquiries to the right group.